The previous key was not correct so it could not be imported into PSA
for validation inside the PK module.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
In some cases, we were calling `mbedtls_test_ssl_endpoint_free()` on an
uninitialized `mbedtls_test_ssl_endpoint` object if the test case failed
early, e.g. due to `psa_crypto_init()` failing. This was largely harmless,
but could have caused weird test results in case of failure, and was flagged
by Coverity.
Use a more systematic style for initializing the stack object as soon as
it's declared.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
PK restartable operations are now implemented using PSA interruptible
ones, so mbedtls_ecp_set_max_ops() can be removed in favor of
psa_interruptible_set_max_ops().
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The SW implementation is guarded with the `MBEDTLS_PSA_BUILTIN_ALG_SHA3`
macros and not enabled when driver accelaration is set. So disabling
the `PSA_WANT` macros is not needed.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some code that parses or writes X.509 needs to know OID values. We provide a
convenient list. Don't remove this list from the public interface of the
library.
For user convenience, expose these values in the same header as before and
with the same name as before: `MBEDTLS_OID_xxx` in `<mbedtls/oid.h>`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Replace the non-X.509-named error code `MBEDTLS_ERR_OID_NOT_FOUND` with
`MBEDTLS_ERR_X509_UNKNOWN_OID`, which already exists and is currently not
used for anything.
Public functions in X.509 propagate this error code, so it needs to have a
public name.
Remove the definition of `MBEDTLS_ERR_OID_NOT_FOUND` in `x509_oid.h`, then
```
git grep -l MBEDTLS_ERR_OID_NOT_FOUND | xargs perl -i -pe 's/\bMBEDTLS_ERR_OID_NOT_FOUND\b/MBEDTLS_ERR_X509_UNKNOWN_OID/g'
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With the removal of MBEDTLS_SHA3_C the test cases with disabled SHA3
dependency are never executed. Adding a temporary `all.sh` component
which disabling the `PSA_WANT_ALG_SHA3_*` macros to cover
these test cases.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
Both PKCS7 and X509 rely on PK module under the hood and the latter can
use PSA to store keys and perform operations. Therefore psa_crypto_init()
must be called before any operation can be done with PKCS7 and X509.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Set also psa_interruptible_set_max_ops() when mbedtls_ecp_set_max_ops()
is set so that the same amount of operations will be used both if legacy
ECDSA_C or PSA is used under the hood to perform the operation.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
ssl-opt checks for specific error code values in the output, but as
MBEDTLS_ERR_ECP_IN_PROGRESS is becoming an alias of PSA_OPERATION_INCOMPLETE
then this hardcoded value will change.
Therefore allow the result to be either the old mbedtls error, or the new PSA
error, as not to break the CI.
Signed-off-by: Felix Conway <felix.conway@arm.com>
The goal of testing with GCC 15 is to validate fixes for
https://github.com/Mbed-TLS/mbedtls/issues/9814 . The bug is present in
multiple places, and some of them affect third-party drivers but not our
built-in implementation. (The bug is that driver contexts might not be
zero-initialized, but some of our built-in implementations happen not to
care about this.) Thus, enable the test drivers in the test component that
uses GCC 15, to gain the extra checks performed in the driver wrappers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
